TechQA.

Is there a way to hook Windows syscalls on 64-bit builds using a kernel mode driver? (without disabling PG)

156 views Asked by At

Is there a way to hook WinAPI system calls on 64-bit builds of Windows, without disabling PG (patch guard)? SSDT hooking using a kernel mode driver is not an option, because patch guard will crash the system when it detects a hook.

For example, a process wants to call the CreateProcessA, how do I block (or allow) it depending on the arguments that are passed to it? (However, I would like to know specifically how to hook any or most of the API functions)

Windows Defender does this, if you try running sc query it will work, but running sc stop WinDefend will trigger a threat alert.

windows winapi hook system-calls wdk
Original Q&A
1

There are 1 answers

0
mr.saraan On

I can provide you with a pseudo code according to my understanding which is somewhat high level for creating a system wide hook . Obviously the actual implementation will be a tedious and lengthy one.

// Define a function pointer type for the original CreateProcessA function
// This is necessary to call the original function after interception
Define function pointer LPFN_CREATEPROCESSA

// Declare a global pointer to the original CreateProcessA function
Declare pOriginalCreateProcessA as LPFN_CREATEPROCESSA

// Define the detoured function for CreateProcessA
// This function will replace the original CreateProcessA and perform custom logic
Define function MyCreateProcessA with the same signature as CreateProcessA:
    Log information about the process being created
    Call the original CreateProcessA function to create the process
    Return the result of the original CreateProcessA function

// Entry point for the DLL
Define function DllMain:
    If DLL_PROCESS_ATTACH:
        // Initialize Detours library
        Begin transaction for Detours library
        Update thread for Detours library
        
        // Detour the CreateProcessA function
        Save the address of the original CreateProcessA function
        Attach the detoured function MyCreateProcessA to CreateProcessA
        
        // Finalize the transaction
        Commit the transaction for Detours library
    End if

    Return TRUE to indicate successful initialization

Related Questions in WINDOWS

Related Questions in WINAPI

Related Questions in HOOK

Related Questions in SYSTEM-CALLS

Related Questions in WDK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions